Insights & Stories

Small Businesses: How to Educate Your Employees about COVID-19 Scams

Reading time: 4 Minutes

May 14th, 2020

You own a small business and, because of social distancing, your office is now empty and your employees are scattered around the island, working from home. The huge increase in the number of workers using virtual environments can leave these individuals vulnerable to fraudsters whose aim is to steal sensitive information or engage in extortion. How do you keep your company and your workers safe?

The FBI has received thousands of complaints related to COVID-19 scams and has already disrupted hundreds of internet domains used to exploit Internet users. warns “The COVID-19 pandemic provides criminal opportunities on a scale likely to dwarf anything seen before."

Criminals are opportunistic and most effective when people are at their most vulnerable. During this time of uncertainty due to health concerns and financial hardships, employees are increasingly susceptible, especially if they aren't savvy techies and are likely spending more time on the computer than usual.

A single careless click from any one of your employees, working remotely, has the potential to corrupt computers or steal private information. Take the time to educate your work force with security best practices, to make sure they know:

  • how to recognize suspicious emails and mail
  • how to validate emails, phone calls and other communications
  • and how to report an incident promptly once they belief something has gone wrong.

To best protect your business from having sensitive information stolen, whether employees are working remotely or at the job site, it's essential that they be made familiar with the two main platforms these attackers use: Telework applications and business email compromise (BEC).


Software that enables remote conversations opens a company to having sensitive information stolen. This includes voice over Internet protocol (VoIP) like Skype, and internet-based conference calls and apps such as WhatsApp. Telework also includes video conferencing software like Zoom. Malicious cyber actors are able to use these tools to eavesdrop or steal shared files.

What hackers do:

Hackers use software or phishing prompts to initiate calls, chats or send links that appear to be from a legitimate source, hoping you will “bite." They may also eavesdrop on conference calls or steal collaborative files during remote desktop sharing.

How to protect yourself and your workers:

The FBI offers a list of protective tips that you can share with your employees:

  • Use software only from trusted vendors.
  • Use settings that restrict access to remote meetings.
  • Require a password and only share the link to a meeting through private channels and never on public forums or social media profiles.
  • Don't click on links from senders you don't recognize, and only use remote desktop sharing or allow third-party access to your computer with caution, through approved support channels.
  • Ignore calls that offer tech support, as this is a gateway for scammers to obtain access to your computer. Microsoft reported that, even pre-COVID-19, they were receiving 11,000 complaints a month from victims of tech-support fraud alone.


Just as scammers target voice communication, they also target written communication. With businesses working remotely, the increased frequency of online interactions may mean sharing a greater amount of financial or sensitive information while interacting with vendors, coworkers and brokers. These transactions leave businesses open to email phishing.

What hackers do:

They use email to target business finances, personal information or both. In a typical scheme, an employee is tricked into conducting business with a fraudulent person rather than the person they normally do business with. They'll pretend to be a vendor you use regularly, or a customer, and say things such as they're having trouble opening an invoice "you sent them."

How to protect yourself and your workers:

According to the FBI, there are a series of steps you should educate your employees about:

  • Be cautious about a sender who will only communicate by email and not by phone, or who is expressing a sense of urgency with the transaction.
  • Don't trust sudden changes initiated by the sender, like a vendor suddenly asking for advanced payment, or instructions to send a wire transfer using a new communication platform, a new email address or to be completed with a new recipient.
  • Check to be sure the recipient's phone number and email address exactly match the information you have on file.
  • Stay current with new information on current scams and the latest cyber safety awareness, which is being posted by Federal and State authorities daily.

If You See Something, Say Something

You can't respond to a security breach if you don't know about it, so it's important to distill in your employees the importance of promptly reporting even suspected problems.

Make sure your employees know who to reach out to when they encounter something suspicious: their supervisor, the person in charge of IT—anyone who makes sense for your specific company.

And make sure your employees understand that they won't automatically get into trouble because they made a mistake and clicked the wrong link in an email. You want to promote a work atmosphere that encourages people to speak up, so you can squash scams and fraud as quickly as possible.

Online schemers are constantly on the prowl, and even more so now that COVID-19 has brought unprecedented changes to business. Having the proper protocols can protect you and your company from hoaxes that use ransomware and blackmail or other methods to obtain sensitive information or reroute your finances to a fraudulent third party. You just need to make sure you educate your work force so they're equipped to help fight fraud.

You're about to exit

Links to other sites are provided as a service to you by Bank of Hawaii. These other sites are neither owned nor maintained by Bank of Hawaii. Bank of Hawaii shall not be responsible for the content and/or accuracy of any information contained in these other sites or for the personal or credit card information you provide to these sites.